Enhancing Security with Apache Localhost Mode in Plesk 18.0.56 (PPP-43250)

Follow

Comments

10 comments

  • Avatar
    Karl May

    Should you not explain here how to set it on/off?

    > The new CLI command plesk bin apache --listen-on-localhost can be used to turn on/off Apache localhost mode.

    Is here true/false missing? And set this command the default behavior permanent or only temporary?

    And the hint where to find the "panel.ini" file is missing. Like linked to https://docs.plesk.com/de-DE/obsidian/administrator-guide/plesk-administration/konfigurationsdatei-panelini.78509/

    1
    Comment actions Permalink
  • Avatar
    concedra gmbh (Edited )

    If apacheListenLocalhost is set to true Plesk AW-Stats feature does not work anymore, because the IP in Serverlogs ist always 127.0.0.1
    The external IP that hits the NGINX Reverse-Proxy should be parsed to the logs, otherwise it will never work because all visitors come from the same IP adress.
    Please fix this and use X-Real-IP or something else.

    0
    Comment actions Permalink
  • Avatar
    TorbHo (Edited )

    With that feature turned on, I am not able to retrieve visitor's ip address via
    PHP $_SERVER[ 'REMOTE_ADDR' ]

    "Allow from xxx.xxx.xxx.xxx" via .htaccess is not possible, too.

    Any solution for that?

    0
    Comment actions Permalink
  • Avatar
    Luca Krebs

    Thanks for the recommendations Karl May, implemented accordingly.

    2
    Comment actions Permalink
  • Avatar
    Luca Krebs (Edited )

    TorbHo and concedra gmbh, thank you for reporting the described behavior. This will be fixed in the next hotfix for version 18.0.56.2.

    For reference. PPPM-14170, Change Log for Plesk Obsidian

    1
    Comment actions Permalink
  • Avatar
    Gavin

    Does this really provide much additional security benefit? In any normal circumstance, wouldn't port 7080 and 7081 be closed at the firewall anyway? They certainly are on all my Plesk servers, so in that case - what benefit does this really offer?

    0
    Comment actions Permalink
  • Avatar
    Luca Krebs

    Hi Gavin, while it's a good idea to close ports 7080 and 7081 on your firewall, it's important to remember that firewall configurations can vary widely from system to system. Not all users may have these ports closed on their firewalls.

    The additional security benefit comes from the principle of "defense in depth". This is the use of multiple layers of security controls throughout an information technology (IT) system. The intent is to provide redundancy in the event that a security control fails or a vulnerability is exploited. In this context, even if a firewall fails or is misconfigured and these ports are left open, closing them at the application level provides an additional layer of security.

    This approach helps reduce the risk of unauthorized access and potential attacks. It's always better to have multiple security measures in place, even if some of them may seem redundant in certain configurations.

    1
    Comment actions Permalink
  • Avatar
    eCom Seller

    Seems like a really illogical default.  Anyone running a web server should be smart enough to have not opened those ports to begin with, or they should not be running a web server.  If the difference between security and vulnerability is bypassing nginx to get to the web app via apache directly, then you're hardly practicing any defense in depth.  It also makes the apache web logs useless given they show all the requests as localhost.  I've got security related feature requests in to Plesk for years now that go unattended to, but hey, we prevented apache from serving requests directly while breaking a bunch of other stuff in the process, congrats.

    0
    Comment actions Permalink
  • Avatar
    Luca Krebs

    Hi eCom Seller

    Thank you for your feedback. We understand your concerns and appreciate the opportunity to provide clarification.

    The decision to have Apache listen on localhost by default for new installations is indeed a security measure. While it's true that anyone running a web server should ideally have their firewall configured correctly, the reality is that configurations can vary widely. This feature provides an extra layer of security, following the principle of "defense in depth".

    In terms of bypassing Nginx to go directly to the web application via Apache, this change doesn't eliminate other security measures in place. It's an additional layer, not a replacement. The goal is to reduce the attack surface and potential vulnerabilities.

    Regarding the Apache web logs, we're pleased to report that the issue with Apache only displaying the localhost IP address has been resolved in the context of bug PPPM-14170 (27 October 2023). More details can be found in the Change Log for Plesk Obsidian.

    We're sorry to hear about your unattended feature requests. We assure you that we take all customer feedback seriously and strive to improve our product based on user needs. We'll make sure to review your previous requests. Feel free to open a support request with a reference to your comment in this article so we can take a closer look.

    We hope this clarifies the reasoning behind this feature. If you have any further questions or concerns, please don't hesitate to let us know.

    0
    Comment actions Permalink
  • Avatar
    eCom Seller

    I had an Ubuntu server doing it this morning:

    18.0.57 Ubuntu 20.04 1800231218.09

    127.0.0.1 - - [07/Feb/2024:15:06:10 +0000]...

    Switched that off and it began logging properly again.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request